SonicWall Cloud Backup Users: Firewall Configs at Risk
▼ Summary
– SonicWall confirmed unauthorized access to firewall configuration backup files for all customers using its cloud backup service.
– The stolen files contain encrypted credentials and configuration data that could increase targeted attack risks.
– Access was gained through brute-force attacks in early September 2025, targeting approximately 5% of SonicWall’s firewall install base.
– SonicWall has released remediation tools and priority classifications to help customers secure affected devices.
– Customers are urged to check the MySonicWall portal and follow guidance to disable WAN services and update credentials.
SonicWall has officially confirmed a significant security incident involving unauthorized access to firewall configuration backup files for every customer who utilized its cloud backup service. This breach exposed encrypted credentials and vital configuration data, raising serious concerns about the potential for future targeted cyber-attacks. The company acknowledged that while the data remains encrypted, possessing these files could heighten security risks for affected organizations.
Investigations revealed that the attackers employed brute-force methods to gain entry to the backup files. The primary objective behind this intrusion appears to be the collection of sensitive information to facilitate subsequent malicious campaigns. Initial signs of suspicious activity directed at the firewall cloud backup service were first identified in early September 2025.
SonicWall publicly disclosed the incident on September 17, initially estimating that threat actors had accessed firewall preference files for approximately five percent of its firewall installations stored in the cloud. Following a thorough investigation conducted with the assistance of Mandiant, the company is now in the process of notifying all impacted partners and customers.
The firm is strongly urging all partners and customers to log into their accounts and verify the status of their devices. In response to the breach, SonicWall has rolled out additional security hardening measures and is collaborating closely with Mandiant to bolster its cloud infrastructure and monitoring capabilities further.
To aid in the response, SonicWall has released specialized tools designed to help with device assessment and remediation. Customers can access the updated and final lists of affected firewalls through the MySonicWall portal under the Product Management > Issue List section.
Each listed device has been assigned a specific priority level to help customers plan and execute remediation efforts efficiently. The priority categories are defined as follows:
Active – High Priority:
Devices with internet-facing services enabled fall under this category. For any firewalls identified on these lists, immediate containment and remediation are crucial, following SonicWall’s official guidance. Security teams should promptly disable or limit access to services from the Wide Area Network (WAN).
Afterward, all credentials that were active at the time of the backup, or earlier, must be thoroughly reviewed and updated for each affected firewall. Customers who used SonicWall’s cloud backup feature but do not see their device serial numbers listed in the portal can expect further instructions and support from SonicWall soon.
(Source: NewsAPI Cybersecurity & Enterprise)
